Continuous cloud compliance is essential to maintain the security of applications and systems in the cloud. At DevSecCon London next week I'll be talking about my experiences in this area, and how an effective solution needs to include prevention, detection and remediation elements.

The DevSecOps Toolkit illustrates the spectrum of tools which can be used for various purposes (columns) across the primary system components (rows). The named open source projects and vendors are examples - it's not possible to be completely comprehensive in a single diagram.

An organisation can use the toolkit to help assess their DevSecOps maturity - ideally there should be at least one tool in each area.

This is a very fast moving field – for example “SOAR” – Security Orchestration, Automation and Response – is a new category created in late 2017.

Why do developers put keys and secrets in code repositories?Developers and DevOps engineers want to automate application and infrastructure deployment and the most straightforward way to do this can be to include the necessary keys and secrets in code. Sometimes this starts off as an initial proof of concept, but then ends up in production.

It's also easy to accidentally push a credential to a repository. I've done this myself with an Azure service principal credential. Fortunately it was a repository on a private network with limited access.

How can I discover keys and secrets in code repositories?I've created a Github repository and deliberately included some keys and secrets. As it's a small repository, you can probably find them all manually. You can also scan using a tool such as GitRob. Click on the Read More link to find out more.

DevSecOps is a new way of working as described in my blog "What is DevSecOps? And Why is it needed?" As I was developing the training course DevSecOps Hands-on I realised I needed a DevSecOps framework encompassing the elements making up DevSecOps, which I then used to define the topic areas of the course ​at a high level: